rpms / samba

Clone
Source Code
GIT

Files

  1.   08db4349fdba6cf3e8a276c0c137d9dd87b58820
  2.   SOURCES
  3.   samba-CVE-2014-0178.patch
Blob Blame History Raw 
From ab51cd90a077c2938620afedc61e2da21cb509be Mon Sep 17 00:00:00 2001
From: Christof Schmitt <christof.schmitt@us.ibm.com>
Date: Mon, 5 Aug 2013 11:16:22 -0700
Subject: [PATCH 1/2] FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to
 zero

Otherwise num_volumes and the end marker can return uninitialized data
to the client.

Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
(cherry picked from commit 30e724cbff1ecd90e5a676831902d1e41ec1b347)
---
 source3/modules/vfs_default.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index f6200ed..97cd292 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1151,7 +1151,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
 			return NT_STATUS_BUFFER_TOO_SMALL;
 		}
 
-		cur_pdata = talloc_array(ctx, char, *out_len);
+		cur_pdata = talloc_zero_array(ctx, char, *out_len);
 		if (cur_pdata == NULL) {
 			TALLOC_FREE(shadow_data);
 			return NT_STATUS_NO_MEMORY;
-- 
1.9.3


From dbe2ef7f66c4c5cde1e1300675fcb78f4de3af70 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <christof.schmitt@us.ibm.com>
Date: Mon, 5 Aug 2013 11:21:59 -0700
Subject: [PATCH 2/2] FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at
 end

labels_data_count already accounts for the unicode null character at the
end of the array. There is no need in adding space for it again.

Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Aug  6 04:03:17 CEST 2013 on sn-devel-104

(cherry picked from commit eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696)

The last 2 patches address bug #10549 - CVE-2014-0178: Malformed
FSCTL_SRV_ENUMERATE_SNAPSHOTS response.

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Mon May 19 14:52:47 CEST 2014 on sn-devel-104
---
 source3/modules/vfs_default.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
index 97cd292..7fda4b8 100644
--- a/source3/modules/vfs_default.c
+++ b/source3/modules/vfs_default.c
@@ -1141,7 +1141,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
 		if (!labels) {
 			*out_len = 16;
 		} else {
-			*out_len = 12 + labels_data_count + 4;
+			*out_len = 12 + labels_data_count;
 		}
 
 		if (max_out_len < *out_len) {
@@ -1168,7 +1168,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
 		}
 
 		/* needed_data_count 4 bytes */
-		SIVAL(cur_pdata, 8, labels_data_count + 4);
+		SIVAL(cur_pdata, 8, labels_data_count);
 
 		cur_pdata += 12;
 
-- 
1.9.3

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation